> My nomination - when someone has been invited by email to join the site (e.g in a saas system, one user invites someone else to join their team), then don't make them verify their email!
Password reset emails usually expire after a short time for security reasons. Maybe the extra verification step when accepting the invite is for similar reasons when the invitation isn't accepted quickly? Unlike for password reset emails, you can't assume invitation emails are likely to be opened soon after being sent either.
The difference with a password reset email though is that it unlocks all of the user's existing data - posts, images, contacts, whatever.
For our invite emails, there is no user data yet, since we are inviting them to join as a new user (in our system - HR SaaS - they are actually a candidate). So there is no exposure in having invite links that work for a week or longer.
In some other use cases, yes a new user will see some sensitive data, e.g. their teammates contact details. In that situation there is a case for very short-lived invite links (just as for password resets).
But still we could do so much better than making them enter the email address again.
I think this is an underdeveloped area of usability in auth systems (that I'm familiar with anyway).
Password reset emails usually expire after a short time for security reasons. Maybe the extra verification step when accepting the invite is for similar reasons when the invitation isn't accepted quickly? Unlike for password reset emails, you can't assume invitation emails are likely to be opened soon after being sent either.